Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1157
Views
0
Helpful
8
Replies

CA signed Cert for CUCM 10.5

Go to solution
chrisnoon11
Level 1
Level 1

‎11-29-2016 02:28 PM - edited ‎03-17-2019 08:49 AM

I have a CUCM 10.5.2 cluster that is currently using self signed tomcat cert. I need to obtain and install a CA signed tomcat cert for the publisher, however the CA will only issue certificates with FQDN's in CN and/or SAN. Unfortunately, no matter what I do, the CSR's generated always include internal hostname in SAN field, so the CA is rejecting them. I do not want to change the server hostnames to FQDN, but I would like the CSR to only include FQDN.

My phones are not using DNS for tftp and DNS is not configured on my CUCM cluster... nor is domain-name.  I have tried this via cli with 'set web-security', as well as via GUI (which actually allows the setting of the CN, but always includes the internal name in the SAN fields, even when the SAN field is left blank.

Thank you in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎11-29-2016 03:11 PM

I'll assume this is a multi-SAN cert you're trying to get

If your CUCM server is defined just as hostname under system -> servers, and you do not have DNS and a domain configured, then you'll only get the hostname.

If you have the hostname and you configure your DNS and domain name, the CSR will use the FQDN from hostname + domain

You'd need to:

A) Add DNS and domain to your config

B) Change to FQDN under system -> server

C) Get the certificates per server, you can adjust the CN when it's going to be issued to just one server.

For multi-san also notice the CN will be added -ms at the end, and that will cause problems with the public CAs

HTH

java

if this helps, please rate

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee

‎11-29-2016 03:11 PM

I'll assume this is a multi-SAN cert you're trying to get

If your CUCM server is defined just as hostname under system -> servers, and you do not have DNS and a domain configured, then you'll only get the hostname.

If you have the hostname and you configure your DNS and domain name, the CSR will use the FQDN from hostname + domain

You'd need to:

A) Add DNS and domain to your config

B) Change to FQDN under system -> server

C) Get the certificates per server, you can adjust the CN when it's going to be issued to just one server.

For multi-san also notice the CN will be added -ms at the end, and that will cause problems with the public CAs

HTH

java

if this helps, please rate
0 Helpful

Go to solution
chrisnoon11
Level 1
Level 1
In response to Jaime Valencia

‎11-30-2016 11:30 AM

Thank you Jaime for the response.  A couple of follow up questions:

Is it ok to do this for only publisher? or does DNS need to be configured clusterwide?

I see that adding domain requires a reboot, and the warning message recommends rebooting all servers when done, but it doesn't state whether the *must* be done clusterwide.

I was not planning on making a multi-SAN cert, and it sounds like that is not an option if I need a CA signed cert.  Is it possible to only make a single-server tomcat cert for the pub, and leave the sub certs alone?

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to chrisnoon11

‎11-30-2016 11:47 AM

If this is going to be just for the tomcat and avoid getting the warning when logging, it would be as easy to use an internal CA and keep the hostname.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
chrisnoon11
Level 1
Level 1
In response to Jaime Valencia

‎11-30-2016 12:28 PM

Yes, this is simply to clear the ssl warning on the admin web gui.  Unfortunately, an internal CA is not available.  Renaming all the nodes to FQDN and enabling dns seems like an amount of effort that I'd like to avoid for such a minor issue.

If there's no other way to generate a clean CSR, then I'll see what they want to do.  Thank you for the info!

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to chrisnoon11

‎11-30-2016 12:32 PM

Then the option would be to generate the CSR per server, if you have a domain and a windows server, spinning up the CA role takes 10 minutes, and it's free.

HTH

java

if this helps, please rate
0 Helpful

Go to solution
chrisnoon11
Level 1
Level 1
In response to Jaime Valencia

‎11-30-2016 02:59 PM

There is a business requirement that the cert be signed by public CA.  An internal CA would require that the cert chain be trusted by every client browser, unless I'm missing something. 

0 Helpful

Go to solution
Jaime Valencia
Cisco Employee
Cisco Employee
In response to chrisnoon11

‎11-30-2016 03:02 PM

No, that's correct, but I'm assuming you're doing this for the internal clients, right??

If so, you can just distribute the root cert with a group policy

HTH

java

if this helps, please rate
0 Helpful

Go to solution
chrisnoon11
Level 1
Level 1
In response to Jaime Valencia

‎11-30-2016 03:06 PM

Yeah, that would certainly seem easier to me as well.  At this point, I think I'll push for that.   Converting all nodes to FQDN node names seems like overkill.  I was just hoping that there was an easy way to dictate the CN and SAN in the CSR.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents